U.S. Application No.: 10/780,407 Attorney Docket No.: GRD03-04 

-2- 

IN THE CLAIMS 

1. (Currently Amended) A n encoded set of processor based instructions on 
a computer readable med ium operable to perform a method of monitoring access to a 
protected database resource comprising: 

identifying an attempt to access the database resource, the access attempt being 
local and directed to an access gateway of the database resource; 

identifying a plur ality of access paths to the protected database resource: 
intercepting the identified attempt to access the database resource, intercepting 
occurring in a prioritized manner with respect to receipt of the access attempt by the 
access gatewa y, intercepting further comprising: 

determining an IP C mechanism to be employed bv a local client for 
accessing the DB resource: 

identifying a commo n access point for the access oaths to the protected 
resource, acce ss attempts occurring via the identified access point for the 
identified access paths 

establishing an IPC i ntercept from the common access point employed bv 
database clients for accessing the DB resource: and 

receiving the access a ttempt at the local aoent via the IPC intercept prior 
to receipt o f the access attempt by the access gateway : and 

transmitting, in a nondestructive manner, the intercepted access attempt 
to a local agent, the nondestructive manner operable to preserve the intercepted access 
attempt for successive receipt by the access gateway. 

2. (Original) The method of claim 1 wherein the access attempt is 
deterministic of a DB instruction, and the local agent is in communication with a data 
security device operable to analyze the propriety of the access attempt from objects and 
data values referenced by the DB instruction. 

3. (Original) The method of claim 1 wherein intercepting in a prioritized 
manner further comprises: 
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receiving the access attempt into an interception register prior to receipt 
by the access gateway; 

invoking a prioritized request to activate a reading operation of the 
interception register, invoking occurring prior to activation of a read operation of the 
access attempt on behalf of the access gateway; and 

reading the access attempt from the interception register, the interception 
register subsequently appearing undisturbed to the access gateway. 

4. (Original) The method of claim 1 further comprising, prior to identifying the 
access attempt, establishing an IPC intercept operable to receive IPC communications 
directed to the access gateway prior to receipt of the IPC communication by the access 
gateway. 

5. (Original) The method of claim 1 wherein identifying the access attempt 
further comprises listening, at a common access point, for an incoming connection to 
the database resource, the common access point adapted to aggregate access 
attempts to the database resource from a plurality of access mediums. 

6. (Original) The method of claim 2 wherein transmitting further comprises 
rerouting the intercepted access attempts to the data security device, the data security 
device operable to offload data security decisions as a consolidated appliance, the 
offloaded data security decisions relieving the host from processing the data security 
decisions. 

7. (Original) The method of claim 1 wherein the local agent performs 
rerouting of local access attempts in a lightweight manner such that the data security 
device is operable to receive local and remote access attempts, wherein security 
coverage of the DB server for network and local access attempts occur via a common 
appliance. 



U.S. Application No.: 10/780,407 Attorney Docket No.: GRD03-04 

-4- 

8. (Original) The method of claim 1 wherein intercepting further comprises: 
receiving, from a notification object responsive to an event handler, an 

indication of an IPC communication indicative of a DB access attempt; 

identifying an instruction register in a shared memory area, the instruction 

register having a database instruction corresponding to the access attempt; 

retrieving the DB instruction from the identified instruction register; and 
transmitting the retrieved DB instruction to the data security device. 

9. (Canceled) The method of cla i m 1 whoro i n tho i ntorcopt i ng further 
compr i sos: 

d e t e rm i ning an IPC mechanism to bo employed by a loca l cliont for 

acc e ss i ng tho DB rosourco; 

e stablich i ng an I PC int e rcept from a common accoso po i nt omp l oy o d by 

d a tabas e cl ie nts for accoss i ng th e DB rosourco; and 

receiv i ng tho access attempt at tho loca l agont via tho IPC int e rcopt pr i or 

to rocoipt of tho accoss attempt by tho access gateway. 

4& (Canceled) Th e method of c l aim 0 whoro i n determining tho I PC 

m e chan i sm further comprisos: 

i dent i fying a p l ura l ity of access paths to a protect e d r e source; 

i d e ntify i ng a common acc e ss point for the accoss paths to tho prot e cted 
r e sourc e , access attempts occurr i ng oxc l uc i v ol y via th o i dent i fied acc e ss point for tho 
i dentif i ed accoss paths. 

1 1 . (Original) The method of claim 1 further comprising: 
establishing an interface wrapper between the access gateway and the local 
client, the interface wrapper operable to identify an IPC mechanism adapted to transport 
communications between the access gateway and the local client; and 
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modifying the identified IPC mechanism to inform the local agent of the 
communications between the access gateway and the local client prior to informing the 
access gateway of the communication. 

12. (Original) The method of claim 1 1 wherein the IPC mechanism is a shared 
memory portion including a plurality of instruction registers, the instruction registers 
operable to buffer a DB instruction for receipt by the access gateway. 

13. (Currently Amended) The method of claim 1 wherein the local agent is a 
lightweight agent operable to intercept the access attempt and transmit the intercepted 
DB instruction to a data security device, the local agent avoiding analyzing the access 
attemp lhaving a substant i a ll y insignificant e ffect on a DB host supporting the DB 
server. 

14. (Currently Amended) The method of claim 1 wherein intercepting further 
comprises 

blocking the intercepted access attempt from receipt by the access gateway, and 
selectively unblocking the access attempt depending on a data security decision 
indicative of the propriety of the access attempt . 

1 5. (Original) The method of claim 14 further comprising: 

computing the data security decision at the data security device; and 
transmitting the data security decision to the local agent, the local agent 
operable to permit receipt of the access attempt by the DB server. 

16. (Original) The method of claim 1 5 wherein the data security decision 
further comprises: selectively logging and blocking the access attempt, the data security 
decision including processing selected from the group consisting of firewalls, filters, 
intrusion detectors, alarms, alerts, tunneling and passwords. 
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1 7. (Original) The method of claim 1 1 wherein establishing the interface 
wrapper further comprises: 

identifying an event corresponding to a communication via the IPC 

mechanism; 

identifying a local event object corresponding to the event, the local event 
object having a notification list adapted to include registrants of an occurrence of the 
event; and 

registering the local agent in the notification list, the local agent registered 
before the access gateway to receive notifications prior to receipt of the notification by 
the registered access gateway. 

18. (Currently Amended) A n encoded set of processor based instructions on 
a computer readable m edium for method of controlling local access to a database 
comprising: 

identifying a local access gateway to the database, the access gateway 
being a common access point into the database; 

establishing an interception wrapper between a local client and the access 
gatewa y, establishing the interception wrapper further comprising: 

identifying, at least one interprocess communication operation, each of 
the identified IP C operation corresponding to an event, the event derived from a 
database (DB) instruction: 

instantiat ing a local event object corresponding to the event, the local 
event object having a notific ation list indicative of notifications of an object to be 
made upon an occurrence of the event: and 

storing, in a first posi tion in the notification list, an indication of the local 
agent, the first p osition operable to provide the first notification upon an 
occurrence of the event, prior to other notifications in the notification list : 

intercepting, via the interception wrapper, an access attempt from a local 
client prior to receipt of the access attempt by the access gateway, the access attempt 
indicative of a pending DB instruction in an IPC buffer; 
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identifying a local event object corresponding to the access attempt- 
indexing a notification list corresponding to the identified local event 

object; 

traversing the indexed notification list, the notification list including entries 
of notifications to be performed upon occurrence of the event; 

reading a traversed entry corresponding to the local agent, the entry 
indicative of the location of the local agent; 

notifying the local agent using the read location of the local agent; 

retrieving, in response to the notification, the DB instruction from the IPC 

buffer; 

transmitting the retrieved DB instruction from the IPC buffer to a data 
security device operable to analyze the propriety of the DB instruction; 

reading a successive traversed entry corresponding to the access gateway, the 
entry indicative of the location of the access gateway; and 

notifying, after the notifying of the local agent, the access gateway of the 
IPC event occurrence using the read location of the access gateway. 

1 9. (Currently Amended) The method of claim 1 8 wherein establishing the 
interception wrapper further comprises: 

identifying, at loast ono i nt e rproc o os communication op e ration, oach of th o 
i d e ntifi e d IPC oporation corrocpond i ng to an ovent, tho ovont dor i vod from a database 
(DB) inctruction; 

instant i ating a local ovont object corrocpond i ng to tho ovont, tho l ocal ovont 
obj e ct having a notification l ist indicat i vo of not i f i cat i ons of an objoot to be mado upon 
a n occurrence of tho ovont; 

stor i ng, in a first posit i on i n tho notificat i on l i st, an i ndicat i on of the l oca l agont, 
th e fir s t pos i t i on oporab le to provid e tho f i rst not i fication upon an occurronco of tho 
e v e nt, prior to othor not i fications i n tho notificat i on list; and 
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storing, in a successive position in the notification list, an indication of the access 
gateway, the access gateway operable to employ the IPC event for database 
instructions. 

20. (Original) The method of claim 1 8 wherein the interception wrapper is 
operable to receive interprocess communication signaling between the local client and 
the access gateway, and intercepting further comprises: 

receiving, by the interception wrapper, a signaling message to the access 
gateway; 

processing the signaling message to identify an DB instruction in the register; 

and 

passing the signaling message in a nondestructive manner to the access 
gateway. 

21. (Currently Amended) A local agent comprising a computer readable 
medium operable to stor e an encoded set of processor based instructions f or monitoring 
access to a protected database resource comprising: 

an interface operable to identify an attempt to access the database resource, the 
access attempt being local and directed to an access gateway of the database 
resource, the access a ttempt being deterministic of a DB instruction, the local agent 
being in communication with a data security device operable to analyze the propriety of 
the access attempt from objects and data values referenced bv the DB instruction : 

an IPC intercept operable to intercept the identified attempt to access the 
database resource, intercepting occurring in a prioritized manner with respect to receipt 
of the access attempt by the access gateway, the local agent further operable to 
transmit, in a nondestructive manner, the intercepted access attempt to a data security 
device l ocal ag o nt , the nondestructive manner operable to preserve the intercepted 
access attempt for successive receipt by the access gatewa y, the local agent further 
operable to reroute the int ercepted access attempts to the data security device, the data 
security device operable to offload data security decisions as a consolidated appliance. 
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the offloaded data sec urity decisions relieving the host from processing the data 
security decisions . 

22. (Canceled) Th e agont of c l aim 21 whoro i n tho access att e mpt io 
d e t e rmin i st i c of a DB i nstruction, and tho loca l agont i s in communicat i on w i th a data 
s e cur i ty dov i ce oporablo to analyzo tho propr i ety of tho acc e ss attempt from objoots and 
data valuos roforoncod by tho DB instruction. 

23. (Original) The agent of claim 21 wherein the local agent is operable to 
intercept in a prioritized manner, and further operable to: 

receive the access attempt into an interception register prior to receipt by 
the access gateway; 

invoke a prioritized request to activate a reading operation of the 
interception register, invoking occurring prior to activation of a read operation of the 
access attempt on behalf of the access gateway; and 

read the access attempt from the interception register, the interception 
register subsequently appearing undisturbed to the access gateway. 

24. (Original) The agent of claim 21 wherein the local agent is operable to, 
prior to identifying the access attempt, establish the IPC intercept operable to receive an 
IPC communication directed to the access gateway prior to receipt of the IPC 
communication by the access gateway. 

25. (Original) The agent of claim 21 wherein the local agent is further operable 
to listen, at a common access point, for an incoming connection to the database 
resource, the common access point adapted to aggregate access attempts to the 
database resource from a plurality of access mediums. 



26. (Canceled) Th e agont of c l a i m 22 wh e re i n tho local agont is further 
op e rab l e to r e route tho int e rcoptod access attempts to tho data security dov i c o , tho data 
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secur i ty dov i co oporablo to off l oad data cocur i ty doo i oionc as a conGo l idatod app l ianco, 
th e offload e d data cocurity docioiono roliov i ng tho hoGt from proGocsing tho data 
s e curity d e cis i ons . 

27. (Currently Amended) The agent ro ethed-of claim 21 wherein the local 
agent is operable to reroute local access attempts in a lightweight manner such that the 
data security device is operable to receive local and remote access attempts, wherein 
security coverage of the DB server for network and local access attempts occur via a 
common appliance. 

28. (Original) The agent of claim 21 wherein the local agent is further operable 

to: 

receive, from a notification object responsive to an event handler, an 
indication of an IPC communication indicative of a DB access attempt; 

identify an instruction register in a shared memory area, the instruction 
register having a database instruction corresponding to the access attempt; 

retrieve the DB instruction from the identified instruction register; and 

transmit the retrieved DB instruction to the data security device. 

29. (Original) The agent of claim 21 wherein the local agent is further operable 

to: 

determine an IPC mechanism to be employed by a local client for 
accessing the DB resource; 

establish an IPC intercept from a common access point employed by 
database clients for accessing the DB resource; and 

receive the access attempt at the local agent via the IPC intercept prior to 
receipt of the access attempt by the access gateway. 



U.S. Application No.: 10/780,407 Attorney Docket No.: GRD03-04 

-11- 

30. (Original) The agent of claim 29 wherein the local agent is further operable 

to: 

identify a plurality of access paths to a protected resource; 

identify a common access point for the access paths to the protected resource, 
access attempts occurring exclusively via the identified access point for the identified 
access paths. 

31 . (Original) The agent of claim 21 wherein the local agent is further operable 

to: 

establish an interface wrapper between the access gateway and the local client, 
the interface wrapper operable to identify an IPC mechanism adapted to transport 
communications between the access gateway and the local client; and 

modify the identified IPC mechanism to inform the local agent of the 
communications between the access gateway and the local client prior to informing the 
access gateway of the communication. 

32. (Original) The agent of claim 31 wherein the IPC mechanism is a shared 
memory portion including a plurality of instruction registers, the instruction registers 
operable to buffer a DB instruction for receipt by the access gateway. 

33. (Currently Amended) The agent of claim 21 wherein the local agent is a 
lightweight agent operable to intercept the access attempt and transmit the intercepted 
DB instruction to a data security device, the local agent avoiding analyzing the access 
attemp lhaving a substantia l ly i nc i gn i f i cant offoot on a DB host supporting the DB 
server. 

34. (Currently Amended) The agent of claim 21 wherein the local agent is 
further operable to: 
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block the intercepted access attempt from receipt by the access gateway, and 
selectively unblock the access attempt depending on a data security decision indicative 
of the propriety of the access attempt . 

35. (Original) The agent of claim 34 wherein the local agent is responsive to 
the data security device for: 

computing the data security decision at the data security device; and 
transmitting the data security decision to the local agent, the local agent 
operable to permit receipt of the access attempt by the DB server. 

36. (Original) The agent of claim 35 wherein the data security device is 
operable to selectively log and block the access attempt, the data security decision 
including processing selected from the group consisting of firewalls, filters, intrusion 
detectors, alarms, alerts, tunneling and passwords. 

37. (Original) The agent of claim 24 wherein the local agent is further operable 

to: 

identify an event corresponding to the communication via an IPC 

mechanism; 

identify a local event object corresponding to the event, the local event 
object; having a notification list adapted to include registrants of an occurrence of the 
event; and 

register the local agent in the notification list, the local agent registered 
before the access gateway to receive notifications prior to receipt of the notification by 
the registered access gateway. 

38. (Currently Amended) A data security device for monitoring access to a 
protected database resource comprising: 

a memory comprising a c omputer readable medium operable to store an 
encoded set of processor based instructions : 
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a processor operable to execute instructions in the memory; 
an interface operable for interconnection with a database host, the data security 
device in communication with a local agent on the database host, the local agent 
operable to: 

identify an attempt to access the database resource, the access attempt being 
local and directed to an access gateway of the database resource; 

intercept the identified attempt to access the database resource, 
intercepting occurring in a prioritized manner with respect to receipt of the access 
attempt by the access gatewa y, intercepting further comprising: 

identifying, at least one interprocess communication operation- 
each of the ide ntified IPC operation corresponding to an event, the event derived 
from a database (DB) instruction: 

instantiating a local event object corresponding to the event, the 

local event object having a notification list indicative of notifications of an 

object to be made upon an occurrence of the event: and 

storing, in a first position in the notification list, an indication of the 

local agent, the firs t position operable to provide the first notification upon 

an occurrence of th e event, prior to other notifications in the notification 

list : and 

transmit, in a nondestructive manner, the intercepted access attempt to a 
local agent, the nondestructive manner operable to preserve the intercepted access 
attempt for successive receipt by the access gateway. 

39. (Currently Amended) A computer program product having a computer 
readable medium operable to store computer program logic embodied in computer 
program code encoded as a set or processor based instructions t hereon for monitoring 
access to a protected database resource comprising: 

computer program code for identifying an attempt to access the database 
resource, the access attempt being local and directed to an access gateway of the 
database resource; 
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computer program code for intercepting the identified attempt to access the 
database resource, intercepting occurring in a prioritized manner with respect to receipt 
of the access attempt by the access gateway , computer program code for intercepting 
further comprising: 

computer program code for determining an IPC mechanism to be 
employed bv a local client for accessing the DB resource; 

computer program code for identifying a common access point for the 
access paths t o the protected resource, access attempts occurring via the 
identified access point for the identified access oaths 

computer program code for establishing an IPC intercept from the 
common acce ss point employed bv database clients for accessing the DB 
resource: and 

receivin g the access attempt at the local agent via the IPC intercept prior 
to receipt of the access attempt bv the access gateway : and 

computer program code for transmitting, in a nondestructive manner, the 
intercepted access attempt to a local agent, the nondestructive manner operable to 
preserve the intercepted access attempt for successive receipt by the access gateway. 

40. (Currently Amended) A computer data signal having program code 
encoded o n a computer readable medium for monitoring access to a protected 
database resource comprising: 

program code for identifying , bv a local agent, an attempt to access the database 
resource, the access attempt being local and directed to an access gateway of the 
database resource , the access attempt being deterministic of a DB instruction, the local 
agent bein g in communication with a data security device operable to analyze the 
propriety of the access attempt from objects and data values referenced bv the DB 
instruction : 

program code for intercepting the identified attempt to access the database 
resource, intercepting occurring in a prioritized manner with respect to receipt of the 
access attempt by the access gateway; and 
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program code for transmitting, in a nondestructive manner, the intercepted 
access attempt to a data security devic e l oca l aaont . the nondestructive manner 
operable to preserve the intercepted access attempt for successive receipt by the 
access gatewa y, the local aaent further operable to reroute the intercepted access 
attempts t o the data security device, the data security device operable to offload data 
security decisions as a consolidated appliance, the offloaded data security decisions 
relieving the host from processing the data security decisions . 

41. (Currently Amended) A security filter device comprising a computer 
readable medium operable to store an encoded set of processor based instructions f or 
behavior based access tracking of a software application comprising: 

means for identifying , via a local agent, an attempt to access the database 
resource, the access attempt being local and directed to an access gateway of the 
database resource , the access attempt being deterministic of a DB instruction, the local 
agent being in communication with a data security device operable to analyze the 
propriety o f the access attempt from objects and data values referenced bv the DB 
instruction : 

means for intercepting the identified attempt to access the database resource, 
intercepting occurring in a prioritized manner with respect to receipt of the access 
attempt by the access gatewa y, intercepting further comprising: 

determining an IPC mechanism to be employed bv a local client for 
accessing the DB resource: 

identifying a common access point for the access paths to the protected 
resource, access attempts occurring via the identified access point for the 
identified access paths 

establishing an IPC intercept from the common access point employed bv 
database clients for accessing the DB resource: and 
receiving the access attempt at the local agent via the IPC intercept prior to 
receipt of the access attempt bv the access gateway : and 
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means for transmitting, in a nondestructive manner, the intercepted 
access attempt to a data security device local aa o nt . the nondestructive manner 
operable to preserve the intercepted access attempt for successive receipt by the 
access gateway , the local aaent further operable to reroute the intercepted access 
attempts to the data security device, the data security device operable to offload data 
security decisions as a consolidated appliance, the offloaded data security decisions 
relieving the host from processing the data security decisions . 

42. (New) An encoded set of processor based instructions operable to perform a 
method of monitoring access to a protected database resource comprising: 

identifying an attempt to access the database resource, the access attempt being 
local and directed to an access gateway of the database resource, identifying the 
access attempt further comprising listening, at a common access point, for an incoming 
connection to the database resource, the common access point adapted to aggregate 
access attempts to the database resource from a plurality of access mediums; 

intercepting the identified attempt to access the database resource, intercepting 
occurring in a prioritized manner with respect to receipt of the access attempt by the 
access gateway, intercepting further comprising: 

determining an IPC mechanism to be employed by a local client for 

accessing the DB resource; 

identifying a common access point for the access paths to the protected 

resource, access attempts occurring via the identified access point for the 

identified access paths, the access attempt being deterministic of a DB 

instruction, and the local agent is in communication with a data security device 

operable to analyze the propriety of the access attempt from objects and data 

values referenced by the DB instruction; 

establishing an IPC intercept from the common access point employed by 

database clients for accessing the DB resource; and 

intercepting the access attempt at the local agent via the IPC intercept 

prior to receipt of the access attempt by the access gateway; and 
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receiving, in a nondestructive manner, the intercepted access attempt by a local 
agent, the nondestructive manner operable to preserve the intercepted access attempt 
for successive receipt by the access gateway, transmitting further comprising rerouting 
the intercepted access attempts to the data security device, the data security device 
operable to offload data security decisions as a consolidated appliance, the offloaded 
data security decisions relieving the host from processing the data security decisions. 

43. (New) The method of claim 42 wherein intercepting the access attempt further 
comprises: 

identifying, at least one interprocess communication operation, each of the 
identified IPC operation corresponding to an event, the event derived from a database 
(DB) instruction; 

instantiating a local event object corresponding to the event, the local event 
object having a notification list indicative of notifications of an object to be made upon 
an occurrence of the event; and 

storing, in a first position in the notification list, an indication of the local agent, 
the first position operable to provide the first notification upon an occurrence of the 
event, prior to other notifications in the notification list; and 

storing, in a successive position in the notification list, an indication of the access 
gateway, the access gateway operable to employ the IPC event for database 
instructions. 



